X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fback-ldap%2Fback-ldap.h;h=9098d40841bd356e206692776a33fac9a173a7bf;hb=86c4dca647a164dd7d24d13194f5a9c1f6414a22;hp=96e8ef5af452b290d1f9434703c804c14c9aa1fd;hpb=8b954144d612e78da4c8c815007717fc9781cab6;p=openldap diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h index 96e8ef5af4..9098d40841 100644 --- a/servers/slapd/back-ldap/back-ldap.h +++ b/servers/slapd/back-ldap/back-ldap.h @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1999-2004 The OpenLDAP Foundation. + * Copyright 1999-2008 The OpenLDAP Foundation. * Portions Copyright 2000-2003 Pierangelo Masarati. * Portions Copyright 1999-2003 Howard Chu. * All rights reserved. @@ -24,193 +24,414 @@ #ifndef SLAPD_LDAP_H #define SLAPD_LDAP_H -#include "external.h" - -/* String rewrite library */ -#ifdef ENABLE_REWRITE -#include "rewrite.h" -#endif /* ENABLE_REWRITE */ - -#ifdef LDAP_DEVEL -#define LDAP_BACK_PROXY_AUTHZ -#endif +#include "../back-monitor/back-monitor.h" LDAP_BEGIN_DECL -struct slap_conn; -struct slap_op; -struct slap_backend_db; - -struct ldapconn { - struct slap_conn *conn; - LDAP *ld; - struct berval cred; - struct berval bound_dn; - struct berval local_dn; - int bound; - ldap_pvt_thread_mutex_t lc_mutex; -}; - -struct ldapmap { - int drop_missing; - - Avlnode *map; - Avlnode *remap; -}; - -struct ldapmapping { - struct berval src; - struct berval dst; -}; - -struct ldaprwmap { - /* - * DN rewriting - */ -#ifdef ENABLE_REWRITE - struct rewrite_info *rwm_rw; -#else /* !ENABLE_REWRITE */ - /* some time the suffix massaging without librewrite - * will be disabled */ - BerVarray rwm_suffix_massage; -#endif /* !ENABLE_REWRITE */ - - /* - * Attribute/objectClass mapping - */ - struct ldapmap rwm_oc; - struct ldapmap rwm_at; +struct ldapinfo_t; + +/* stuff required for monitoring */ +typedef struct ldap_monitor_info_t { + monitor_subsys_t lmi_mss; + struct ldapinfo_t *lmi_li; + + struct berval lmi_rdn; + struct berval lmi_nrdn; + monitor_callback_t *lmi_cb; + struct berval lmi_base; + int lmi_scope; + struct berval lmi_filter; + struct berval lmi_more_filter; +} ldap_monitor_info_t; + +enum { + /* even numbers are connection types */ + LDAP_BACK_PCONN_FIRST = 0, + LDAP_BACK_PCONN_ROOTDN = LDAP_BACK_PCONN_FIRST, + LDAP_BACK_PCONN_ANON = 2, + LDAP_BACK_PCONN_BIND = 4, + + /* add the TLS bit */ + LDAP_BACK_PCONN_TLS = 0x1U, + + LDAP_BACK_PCONN_ROOTDN_TLS = (LDAP_BACK_PCONN_ROOTDN|LDAP_BACK_PCONN_TLS), + LDAP_BACK_PCONN_ANON_TLS = (LDAP_BACK_PCONN_ANON|LDAP_BACK_PCONN_TLS), + LDAP_BACK_PCONN_BIND_TLS = (LDAP_BACK_PCONN_BIND|LDAP_BACK_PCONN_TLS), + + LDAP_BACK_PCONN_LAST }; -struct ldapinfo { - struct slap_backend_db *be; - char *url; - LDAPURLDesc *lud; - struct berval binddn; - struct berval bindpw; -#ifdef LDAP_BACK_PROXY_AUTHZ - struct berval proxyauthzdn; - struct berval proxyauthzpw; +typedef struct ldapconn_t { + Connection *lc_conn; +#define LDAP_BACK_CONN2PRIV(lc) ((unsigned long)(lc)->lc_conn) +#define LDAP_BACK_PCONN_ISPRIV(lc) ((void *)(lc)->lc_conn >= (void *)LDAP_BACK_PCONN_FIRST \ + && (void *)(lc)->lc_conn < (void *)LDAP_BACK_PCONN_LAST) +#define LDAP_BACK_PCONN_ISROOTDN(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) \ + && (LDAP_BACK_CONN2PRIV((lc)) < LDAP_BACK_PCONN_ANON)) +#define LDAP_BACK_PCONN_ISANON(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) \ + && (LDAP_BACK_CONN2PRIV((lc)) < LDAP_BACK_PCONN_BIND) \ + && (LDAP_BACK_CONN2PRIV((lc)) >= LDAP_BACK_PCONN_ANON)) +#define LDAP_BACK_PCONN_ISBIND(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) \ + && (LDAP_BACK_CONN2PRIV((lc)) >= LDAP_BACK_PCONN_BIND)) +#define LDAP_BACK_PCONN_ISTLS(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) \ + && (LDAP_BACK_CONN2PRIV((lc)) & LDAP_BACK_PCONN_TLS)) +#define LDAP_BACK_PCONN_ID(lc) (LDAP_BACK_PCONN_ISPRIV((lc)) ? \ + ( -1 - (long)(lc)->lc_conn ) : (lc)->lc_conn->c_connid ) +#ifdef HAVE_TLS +#define LDAP_BACK_PCONN_ROOTDN_SET(lc, op) \ + ((lc)->lc_conn = (void *)((op)->o_conn->c_is_tls ? (void *) LDAP_BACK_PCONN_ROOTDN_TLS : (void *) LDAP_BACK_PCONN_ROOTDN)) +#define LDAP_BACK_PCONN_ANON_SET(lc, op) \ + ((lc)->lc_conn = (void *)((op)->o_conn->c_is_tls ? (void *) LDAP_BACK_PCONN_ANON_TLS : (void *) LDAP_BACK_PCONN_ANON)) +#define LDAP_BACK_PCONN_BIND_SET(lc, op) \ + ((lc)->lc_conn = (void *)((op)->o_conn->c_is_tls ? (void *) LDAP_BACK_PCONN_BIND_TLS : (void *) LDAP_BACK_PCONN_BIND)) +#else /* ! HAVE_TLS */ +#define LDAP_BACK_PCONN_ROOTDN_SET(lc, op) \ + ((lc)->lc_conn = (void *)LDAP_BACK_PCONN_ROOTDN) +#define LDAP_BACK_PCONN_ANON_SET(lc, op) \ + ((lc)->lc_conn = (void *)LDAP_BACK_PCONN_ANON) +#define LDAP_BACK_PCONN_BIND_SET(lc, op) \ + ((lc)->lc_conn = (void *)LDAP_BACK_PCONN_BIND) +#endif /* ! HAVE_TLS */ +#define LDAP_BACK_PCONN_SET(lc, op) \ + (BER_BVISEMPTY(&(op)->o_ndn) ? \ + LDAP_BACK_PCONN_ANON_SET((lc), (op)) : LDAP_BACK_PCONN_ROOTDN_SET((lc), (op))) + + LDAP *lc_ld; + struct berval lc_cred; + struct berval lc_bound_ndn; + struct berval lc_local_ndn; + unsigned lc_lcflags; +#define LDAP_BACK_CONN_ISSET_F(fp,f) (*(fp) & (f)) +#define LDAP_BACK_CONN_SET_F(fp,f) (*(fp) |= (f)) +#define LDAP_BACK_CONN_CLEAR_F(fp,f) (*(fp) &= ~(f)) +#define LDAP_BACK_CONN_CPY_F(fp,f,mfp) \ + do { \ + if ( ((f) & *(mfp)) == (f) ) { \ + *(fp) |= (f); \ + } else { \ + *(fp) &= ~(f); \ + } \ + } while ( 0 ) + +#define LDAP_BACK_CONN_ISSET(lc,f) LDAP_BACK_CONN_ISSET_F(&(lc)->lc_lcflags, (f)) +#define LDAP_BACK_CONN_SET(lc,f) LDAP_BACK_CONN_SET_F(&(lc)->lc_lcflags, (f)) +#define LDAP_BACK_CONN_CLEAR(lc,f) LDAP_BACK_CONN_CLEAR_F(&(lc)->lc_lcflags, (f)) +#define LDAP_BACK_CONN_CPY(lc,f,mlc) LDAP_BACK_CONN_CPY_F(&(lc)->lc_lcflags, (f), &(mlc)->lc_lcflags) + +/* 0xFFF00000U are reserved for back-meta */ + +#define LDAP_BACK_FCONN_ISBOUND (0x00000001U) +#define LDAP_BACK_FCONN_ISANON (0x00000002U) +#define LDAP_BACK_FCONN_ISBMASK (LDAP_BACK_FCONN_ISBOUND|LDAP_BACK_FCONN_ISANON) +#define LDAP_BACK_FCONN_ISPRIV (0x00000004U) +#define LDAP_BACK_FCONN_ISTLS (0x00000008U) +#define LDAP_BACK_FCONN_BINDING (0x00000010U) +#define LDAP_BACK_FCONN_TAINTED (0x00000020U) +#define LDAP_BACK_FCONN_ABANDON (0x00000040U) +#define LDAP_BACK_FCONN_ISIDASR (0x00000080U) +#define LDAP_BACK_FCONN_CACHED (0x00000100U) + +#define LDAP_BACK_CONN_ISBOUND(lc) LDAP_BACK_CONN_ISSET((lc), LDAP_BACK_FCONN_ISBOUND) +#define LDAP_BACK_CONN_ISBOUND_SET(lc) LDAP_BACK_CONN_SET((lc), LDAP_BACK_FCONN_ISBOUND) +#define LDAP_BACK_CONN_ISBOUND_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), LDAP_BACK_FCONN_ISBMASK) +#define LDAP_BACK_CONN_ISBOUND_CPY(lc, mlc) LDAP_BACK_CONN_CPY((lc), LDAP_BACK_FCONN_ISBOUND, (mlc)) +#define LDAP_BACK_CONN_ISANON(lc) LDAP_BACK_CONN_ISSET((lc), LDAP_BACK_FCONN_ISANON) +#define LDAP_BACK_CONN_ISANON_SET(lc) LDAP_BACK_CONN_SET((lc), LDAP_BACK_FCONN_ISANON) +#define LDAP_BACK_CONN_ISANON_CLEAR(lc) LDAP_BACK_CONN_ISBOUND_CLEAR((lc)) +#define LDAP_BACK_CONN_ISANON_CPY(lc, mlc) LDAP_BACK_CONN_CPY((lc), LDAP_BACK_FCONN_ISANON, (mlc)) +#define LDAP_BACK_CONN_ISPRIV(lc) LDAP_BACK_CONN_ISSET((lc), LDAP_BACK_FCONN_ISPRIV) +#define LDAP_BACK_CONN_ISPRIV_SET(lc) LDAP_BACK_CONN_SET((lc), LDAP_BACK_FCONN_ISPRIV) +#define LDAP_BACK_CONN_ISPRIV_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), LDAP_BACK_FCONN_ISPRIV) +#define LDAP_BACK_CONN_ISPRIV_CPY(lc, mlc) LDAP_BACK_CONN_CPY((lc), LDAP_BACK_FCONN_ISPRIV, (mlc)) +#define LDAP_BACK_CONN_ISTLS(lc) LDAP_BACK_CONN_ISSET((lc), LDAP_BACK_FCONN_ISTLS) +#define LDAP_BACK_CONN_ISTLS_SET(lc) LDAP_BACK_CONN_SET((lc), LDAP_BACK_FCONN_ISTLS) +#define LDAP_BACK_CONN_ISTLS_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), LDAP_BACK_FCONN_ISTLS) +#define LDAP_BACK_CONN_ISTLS_CPY(lc, mlc) LDAP_BACK_CONN_CPY((lc), LDAP_BACK_FCONN_ISTLS, (mlc)) +#define LDAP_BACK_CONN_BINDING(lc) LDAP_BACK_CONN_ISSET((lc), LDAP_BACK_FCONN_BINDING) +#define LDAP_BACK_CONN_BINDING_SET(lc) LDAP_BACK_CONN_SET((lc), LDAP_BACK_FCONN_BINDING) +#define LDAP_BACK_CONN_BINDING_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), LDAP_BACK_FCONN_BINDING) +#define LDAP_BACK_CONN_TAINTED(lc) LDAP_BACK_CONN_ISSET((lc), LDAP_BACK_FCONN_TAINTED) +#define LDAP_BACK_CONN_TAINTED_SET(lc) LDAP_BACK_CONN_SET((lc), LDAP_BACK_FCONN_TAINTED) +#define LDAP_BACK_CONN_TAINTED_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), LDAP_BACK_FCONN_TAINTED) +#define LDAP_BACK_CONN_ABANDON(lc) LDAP_BACK_CONN_ISSET((lc), LDAP_BACK_FCONN_ABANDON) +#define LDAP_BACK_CONN_ABANDON_SET(lc) LDAP_BACK_CONN_SET((lc), LDAP_BACK_FCONN_ABANDON) +#define LDAP_BACK_CONN_ABANDON_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), LDAP_BACK_FCONN_ABANDON) +#define LDAP_BACK_CONN_ISIDASSERT(lc) LDAP_BACK_CONN_ISSET((lc), LDAP_BACK_FCONN_ISIDASR) +#define LDAP_BACK_CONN_ISIDASSERT_SET(lc) LDAP_BACK_CONN_SET((lc), LDAP_BACK_FCONN_ISIDASR) +#define LDAP_BACK_CONN_ISIDASSERT_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), LDAP_BACK_FCONN_ISIDASR) +#define LDAP_BACK_CONN_ISIDASSERT_CPY(lc, mlc) LDAP_BACK_CONN_CPY((lc), LDAP_BACK_FCONN_ISIDASR, (mlc)) +#define LDAP_BACK_CONN_CACHED(lc) LDAP_BACK_CONN_ISSET((lc), LDAP_BACK_FCONN_CACHED) +#define LDAP_BACK_CONN_CACHED_SET(lc) LDAP_BACK_CONN_SET((lc), LDAP_BACK_FCONN_CACHED) +#define LDAP_BACK_CONN_CACHED_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), LDAP_BACK_FCONN_CACHED) + + unsigned lc_refcnt; + unsigned lc_flags; + time_t lc_create_time; + time_t lc_time; + + LDAP_TAILQ_ENTRY(ldapconn_t) lc_q; +} ldapconn_t; + +typedef struct ldap_avl_info_t { + ldap_pvt_thread_mutex_t lai_mutex; + Avlnode *lai_tree; +} ldap_avl_info_t; + +typedef struct slap_retry_info_t { + time_t *ri_interval; + int *ri_num; + int ri_idx; + int ri_count; + time_t ri_last; + +#define SLAP_RETRYNUM_FOREVER (-1) /* retry forever */ +#define SLAP_RETRYNUM_TAIL (-2) /* end of retrynum array */ +#define SLAP_RETRYNUM_VALID(n) ((n) >= SLAP_RETRYNUM_FOREVER) /* valid retrynum */ +#define SLAP_RETRYNUM_FINITE(n) ((n) > SLAP_RETRYNUM_FOREVER) /* not forever */ +} slap_retry_info_t; + +/* + * identity assertion modes + */ +typedef enum { + LDAP_BACK_IDASSERT_LEGACY = 1, + LDAP_BACK_IDASSERT_NOASSERT, + LDAP_BACK_IDASSERT_ANONYMOUS, + LDAP_BACK_IDASSERT_SELF, + LDAP_BACK_IDASSERT_OTHERDN, + LDAP_BACK_IDASSERT_OTHERID +} slap_idassert_mode_t; + +/* ID assert stuff */ +typedef struct slap_idassert_t { + slap_idassert_mode_t si_mode; +#define li_idassert_mode li_idassert.si_mode + + slap_bindconf si_bc; +#define li_idassert_authcID li_idassert.si_bc.sb_authcId +#define li_idassert_authcDN li_idassert.si_bc.sb_binddn +#define li_idassert_passwd li_idassert.si_bc.sb_cred +#define li_idassert_authzID li_idassert.si_bc.sb_authzId +#define li_idassert_authmethod li_idassert.si_bc.sb_method +#define li_idassert_sasl_mech li_idassert.si_bc.sb_saslmech +#define li_idassert_sasl_realm li_idassert.si_bc.sb_realm +#define li_idassert_secprops li_idassert.si_bc.sb_secprops +#define li_idassert_tls li_idassert.si_bc.sb_tls + + unsigned si_flags; +#define LDAP_BACK_AUTH_NONE (0x00U) +#define LDAP_BACK_AUTH_NATIVE_AUTHZ (0x01U) +#define LDAP_BACK_AUTH_OVERRIDE (0x02U) +#define LDAP_BACK_AUTH_PRESCRIPTIVE (0x04U) +#define LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ (0x08U) +#define LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND (0x10U) +#define LDAP_BACK_AUTH_AUTHZ_ALL (0x20U) +#define li_idassert_flags li_idassert.si_flags + + BerVarray si_authz; +#define li_idassert_authz li_idassert.si_authz +} slap_idassert_t; + +/* + * Hook to allow mucking with ldapinfo_t when quarantine is over + */ +typedef int (*ldap_back_quarantine_f)( struct ldapinfo_t *, void * ); + +typedef struct ldapinfo_t { + /* li_uri: the string that goes into ldap_initialize() + * TODO: use li_acl.sb_uri instead */ + char *li_uri; + /* li_bvuri: an array of each single URI that is equivalent; + * to be checked for the presence of a certain item */ + BerVarray li_bvuri; + ldap_pvt_thread_mutex_t li_uri_mutex; + + LDAP_REBIND_PROC *li_rebind_f; + LDAP_URLLIST_PROC *li_urllist_f; + void *li_urllist_p; + + /* we only care about the TLS options here */ + slap_bindconf li_tls; + + slap_bindconf li_acl; +#define li_acl_authcID li_acl.sb_authcId +#define li_acl_authcDN li_acl.sb_binddn +#define li_acl_passwd li_acl.sb_cred +#define li_acl_authzID li_acl.sb_authzId +#define li_acl_authmethod li_acl.sb_method +#define li_acl_sasl_mech li_acl.sb_saslmech +#define li_acl_sasl_realm li_acl.sb_realm +#define li_acl_secprops li_acl.sb_secprops /* ID assert stuff */ - int idassert_mode; -#define LDAP_BACK_IDASSERT_LEGACY 0 -#define LDAP_BACK_IDASSERT_NOASSERT 1 -#define LDAP_BACK_IDASSERT_ANONYMOUS 2 -#define LDAP_BACK_IDASSERT_SELF 3 -#define LDAP_BACK_IDASSERT_OTHERDN 4 -#define LDAP_BACK_IDASSERT_OTHERID 5 - struct berval idassert_id; - BerVarray idassert_authz; + slap_idassert_t li_idassert; /* end of ID assert stuff */ -#endif /* LDAP_BACK_PROXY_AUTHZ */ - - ldap_pvt_thread_mutex_t conn_mutex; - int savecred; - Avlnode *conntree; - -#if 0 -#ifdef ENABLE_REWRITE - struct rewrite_info *rwinfo; -#else /* !ENABLE_REWRITE */ - BerVarray suffix_massage; -#endif /* !ENABLE_REWRITE */ - struct ldapmap oc_map; - struct ldapmap at_map; -#endif - - struct ldaprwmap rwmap; -}; - -/* Whatever context ldap_back_dn_massage needs... */ -typedef struct dncookie { - struct ldaprwmap *rwmap; - -#ifdef ENABLE_REWRITE - Connection *conn; - char *ctx; - SlapReply *rs; -#else - int normalized; - int tofrom; -#endif -} dncookie; - -struct ldapconn *ldap_back_getconn(struct slap_op *op, struct slap_rep *rs); -int ldap_back_dobind(struct ldapconn *lc, Operation *op, SlapReply *rs); -int ldap_back_map_result(SlapReply *rs); -int ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs, - ber_int_t msgid, int sendok); -int back_ldap_LTX_init_module(int argc, char *argv[]); - -int ldap_back_dn_massage(dncookie *dc, struct berval *dn, - struct berval *res); - -extern int ldap_back_conn_cmp( const void *c1, const void *c2); -extern int ldap_back_conn_dup( void *c1, void *c2 ); -extern void ldap_back_conn_free( void *c ); - -/* attributeType/objectClass mapping */ -int mapping_cmp (const void *, const void *); -int mapping_dup (void *, void *); - -void ldap_back_map_init ( struct ldapmap *lm, struct ldapmapping ** ); -void ldap_back_map ( struct ldapmap *map, struct berval *s, struct berval *m, - int remap ); -#define BACKLDAP_MAP 0 -#define BACKLDAP_REMAP 1 -char * -ldap_back_map_filter( - struct ldapmap *at_map, - struct ldapmap *oc_map, - struct berval *f, - int remap -); - -int -ldap_back_map_attrs( - struct ldapmap *at_map, - AttributeName *a, - int remap, - char ***mapped_attrs -); - -extern void mapping_free ( void *mapping ); - -extern int ldap_back_map_config( - struct ldapmap *oc_map, - struct ldapmap *at_map, - const char *fname, - int lineno, - int argc, - char **argv ); - -extern int -ldap_back_filter_map_rewrite( - dncookie *dc, - Filter *f, - struct berval *fstr, - int remap ); - -/* suffix massaging by means of librewrite */ -#ifdef ENABLE_REWRITE -extern int suffix_massage_config( struct rewrite_info *info, - struct berval *pvnc, struct berval *nvnc, - struct berval *prnc, struct berval *nrnc); -#endif /* ENABLE_REWRITE */ -extern int ldap_dnattr_rewrite( dncookie *dc, BerVarray a_vals ); -extern int ldap_dnattr_result_rewrite( dncookie *dc, BerVarray a_vals ); - -#ifdef LDAP_BACK_PROXY_AUTHZ -extern int -ldap_back_proxy_authz_ctrl( - struct ldapconn *lc, - Operation *op, - SlapReply *rs, - LDAPControl ***pctrls ); -#endif /* LDAP_BACK_PROXY_AUTHZ */ + int li_nretries; +#define LDAP_BACK_RETRY_UNDEFINED (-2) +#define LDAP_BACK_RETRY_FOREVER (-1) +#define LDAP_BACK_RETRY_NEVER (0) +#define LDAP_BACK_RETRY_DEFAULT (3) + + unsigned li_flags; + +/* 0xFFF00000U are reserved for back-meta */ + +#define LDAP_BACK_F_NONE (0x00000000U) +#define LDAP_BACK_F_SAVECRED (0x00000001U) +#define LDAP_BACK_F_USE_TLS (0x00000002U) +#define LDAP_BACK_F_PROPAGATE_TLS (0x00000004U) +#define LDAP_BACK_F_TLS_CRITICAL (0x00000008U) +#define LDAP_BACK_F_TLS_LDAPS (0x00000010U) + +#define LDAP_BACK_F_TLS_USE_MASK (LDAP_BACK_F_USE_TLS|LDAP_BACK_F_TLS_CRITICAL) +#define LDAP_BACK_F_TLS_PROPAGATE_MASK (LDAP_BACK_F_PROPAGATE_TLS|LDAP_BACK_F_TLS_CRITICAL) +#define LDAP_BACK_F_TLS_MASK (LDAP_BACK_F_TLS_USE_MASK|LDAP_BACK_F_TLS_PROPAGATE_MASK|LDAP_BACK_F_TLS_LDAPS) +#define LDAP_BACK_F_CHASE_REFERRALS (0x00000020U) +#define LDAP_BACK_F_PROXY_WHOAMI (0x00000040U) + +#define LDAP_BACK_F_T_F (0x00000080U) +#define LDAP_BACK_F_T_F_DISCOVER (0x00000100U) +#define LDAP_BACK_F_T_F_MASK (LDAP_BACK_F_T_F) +#define LDAP_BACK_F_T_F_MASK2 (LDAP_BACK_F_T_F_MASK|LDAP_BACK_F_T_F_DISCOVER) + +#define LDAP_BACK_F_MONITOR (0x00000200U) +#define LDAP_BACK_F_SINGLECONN (0x00000400U) +#define LDAP_BACK_F_USE_TEMPORARIES (0x00000800U) + +#define LDAP_BACK_F_ISOPEN (0x00001000U) + +#define LDAP_BACK_F_CANCEL_ABANDON (0x00000000U) +#define LDAP_BACK_F_CANCEL_IGNORE (0x00002000U) +#define LDAP_BACK_F_CANCEL_EXOP (0x00004000U) +#define LDAP_BACK_F_CANCEL_EXOP_DISCOVER (0x00008000U) +#define LDAP_BACK_F_CANCEL_MASK (LDAP_BACK_F_CANCEL_IGNORE|LDAP_BACK_F_CANCEL_EXOP) +#define LDAP_BACK_F_CANCEL_MASK2 (LDAP_BACK_F_CANCEL_MASK|LDAP_BACK_F_CANCEL_EXOP_DISCOVER) + +#define LDAP_BACK_F_QUARANTINE (0x00010000U) + +#ifdef SLAP_CONTROL_X_SESSION_TRACKING +#define LDAP_BACK_F_ST_REQUEST (0x00020000U) +#define LDAP_BACK_F_ST_RESPONSE (0x00040000U) +#endif /* SLAP_CONTROL_X_SESSION_TRACKING */ + +#define LDAP_BACK_ISSET_F(ff,f) ( ( (ff) & (f) ) == (f) ) +#define LDAP_BACK_ISMASK_F(ff,m,f) ( ( (ff) & (m) ) == (f) ) + +#define LDAP_BACK_ISSET(li,f) LDAP_BACK_ISSET_F( (li)->li_flags, (f) ) +#define LDAP_BACK_ISMASK(li,m,f) LDAP_BACK_ISMASK_F( (li)->li_flags, (m), (f) ) + +#define LDAP_BACK_SAVECRED(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_SAVECRED ) +#define LDAP_BACK_USE_TLS(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_USE_TLS ) +#define LDAP_BACK_PROPAGATE_TLS(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_PROPAGATE_TLS ) +#define LDAP_BACK_TLS_CRITICAL(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_TLS_CRITICAL ) +#define LDAP_BACK_CHASE_REFERRALS(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_CHASE_REFERRALS ) +#define LDAP_BACK_PROXY_WHOAMI(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_PROXY_WHOAMI ) + +#define LDAP_BACK_USE_TLS_F(ff) LDAP_BACK_ISSET_F( (ff), LDAP_BACK_F_USE_TLS ) +#define LDAP_BACK_PROPAGATE_TLS_F(ff) LDAP_BACK_ISSET_F( (ff), LDAP_BACK_F_PROPAGATE_TLS ) +#define LDAP_BACK_TLS_CRITICAL_F(ff) LDAP_BACK_ISSET_F( (ff), LDAP_BACK_F_TLS_CRITICAL ) + +#define LDAP_BACK_T_F(li) LDAP_BACK_ISMASK( (li), LDAP_BACK_F_T_F_MASK, LDAP_BACK_F_T_F ) +#define LDAP_BACK_T_F_DISCOVER(li) LDAP_BACK_ISMASK( (li), LDAP_BACK_F_T_F_MASK2, LDAP_BACK_F_T_F_DISCOVER ) + +#define LDAP_BACK_MONITOR(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_MONITOR ) +#define LDAP_BACK_SINGLECONN(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_SINGLECONN ) +#define LDAP_BACK_USE_TEMPORARIES(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_USE_TEMPORARIES) + +#define LDAP_BACK_ISOPEN(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_ISOPEN ) + +#define LDAP_BACK_ABANDON(li) LDAP_BACK_ISMASK( (li), LDAP_BACK_F_CANCEL_MASK, LDAP_BACK_F_CANCEL_ABANDON ) +#define LDAP_BACK_IGNORE(li) LDAP_BACK_ISMASK( (li), LDAP_BACK_F_CANCEL_MASK, LDAP_BACK_F_CANCEL_IGNORE ) +#define LDAP_BACK_CANCEL(li) LDAP_BACK_ISMASK( (li), LDAP_BACK_F_CANCEL_MASK, LDAP_BACK_F_CANCEL_EXOP ) +#define LDAP_BACK_CANCEL_DISCOVER(li) LDAP_BACK_ISMASK( (li), LDAP_BACK_F_CANCEL_MASK2, LDAP_BACK_F_CANCEL_EXOP_DISCOVER ) + +#define LDAP_BACK_QUARANTINE(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_QUARANTINE ) + +#ifdef SLAP_CONTROL_X_SESSION_TRACKING +#define LDAP_BACK_ST_REQUEST(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_ST_REQUEST) +#define LDAP_BACK_ST_RESPONSE(li) LDAP_BACK_ISSET( (li), LDAP_BACK_F_ST_RESPONSE) +#endif /* SLAP_CONTROL_X_SESSION_TRACKING */ + + int li_version; + + /* cached connections; + * special conns are in tailq rather than in tree */ + ldap_avl_info_t li_conninfo; + struct { + int lic_num; + LDAP_TAILQ_HEAD(lc_conn_priv_q, ldapconn_t) lic_priv; + } li_conn_priv[ LDAP_BACK_PCONN_LAST ]; + int li_conn_priv_max; +#define LDAP_BACK_CONN_PRIV_MIN (1) +#define LDAP_BACK_CONN_PRIV_MAX (256) + /* must be between LDAP_BACK_CONN_PRIV_MIN + * and LDAP_BACK_CONN_PRIV_MAX ! */ +#define LDAP_BACK_CONN_PRIV_DEFAULT (16) + + ldap_monitor_info_t li_monitor_info; + + sig_atomic_t li_isquarantined; +#define LDAP_BACK_FQ_NO (0) +#define LDAP_BACK_FQ_YES (1) +#define LDAP_BACK_FQ_RETRYING (2) + + slap_retry_info_t li_quarantine; + ldap_pvt_thread_mutex_t li_quarantine_mutex; + ldap_back_quarantine_f li_quarantine_f; + void *li_quarantine_p; + + time_t li_network_timeout; + time_t li_conn_ttl; + time_t li_idle_timeout; + time_t li_timeout[ SLAP_OP_LAST ]; +} ldapinfo_t; + +typedef enum ldap_back_send_t { + LDAP_BACK_DONTSEND = 0x00, + LDAP_BACK_SENDOK = 0x01, + LDAP_BACK_SENDERR = 0x02, + LDAP_BACK_SENDRESULT = (LDAP_BACK_SENDOK|LDAP_BACK_SENDERR), + LDAP_BACK_BINDING = 0x04, + + LDAP_BACK_BIND_DONTSEND = (LDAP_BACK_BINDING), + LDAP_BACK_BIND_SOK = (LDAP_BACK_BINDING|LDAP_BACK_SENDOK), + LDAP_BACK_BIND_SERR = (LDAP_BACK_BINDING|LDAP_BACK_SENDERR), + LDAP_BACK_BIND_SRES = (LDAP_BACK_BINDING|LDAP_BACK_SENDRESULT), + + LDAP_BACK_RETRYING = 0x08, + LDAP_BACK_RETRY_DONTSEND = (LDAP_BACK_RETRYING), + LDAP_BACK_RETRY_SOK = (LDAP_BACK_RETRYING|LDAP_BACK_SENDOK), + LDAP_BACK_RETRY_SERR = (LDAP_BACK_RETRYING|LDAP_BACK_SENDERR), + LDAP_BACK_RETRY_SRES = (LDAP_BACK_RETRYING|LDAP_BACK_SENDRESULT), + + LDAP_BACK_GETCONN = 0x10 +} ldap_back_send_t; + +/* define to use asynchronous StartTLS */ +#define SLAP_STARTTLS_ASYNCHRONOUS + +/* timeout to use when calling ldap_result() */ +#define LDAP_BACK_RESULT_TIMEOUT (0) +#define LDAP_BACK_RESULT_UTIMEOUT (100000) +#define LDAP_BACK_TV_SET(tv) \ + do { \ + (tv)->tv_sec = LDAP_BACK_RESULT_TIMEOUT; \ + (tv)->tv_usec = LDAP_BACK_RESULT_UTIMEOUT; \ + } while ( 0 ) + +#ifndef LDAP_BACK_PRINT_CONNTREE +#define LDAP_BACK_PRINT_CONNTREE 0 +#endif /* !LDAP_BACK_PRINT_CONNTREE */ + +typedef struct ldap_extra_t { + int (*proxy_authz_ctrl)( Operation *op, SlapReply *rs, struct berval *bound_ndn, + int version, slap_idassert_t *si, LDAPControl *ctrl ); + int (*controls_free)( Operation *op, SlapReply *rs, LDAPControl ***pctrls ); +} ldap_extra_t; LDAP_END_DECL +#include "proto-ldap.h" + #endif /* SLAPD_LDAP_H */